Merge branch 'release/1.1.5.1'

build.gradle

@@ -18,7 +18,7 @@ plugins {
 }
 
 
-version "1.1.5"
+version "1.1.5.1"
 
 group "au.org.ala"
 

grails-app/services/au/org/ala/images/SanitiserService.groovy

@@ -44,7 +44,7 @@ class SanitiserService {
      * @return
      */
     String sanitise(String input, String imageId, String propertyName) {
-        internalSanitise(policy, imageId, propertyName)
+        internalSanitise(policy, input, imageId, propertyName)
     }
 
     String truncateAndSanitise(String input, String imageId, String propertyName, int length) {

grails-app/taglib/au/org/ala/images/ImagesTagLib.groovy

@@ -295,7 +295,7 @@ class ImagesTagLib {
         def result
         if (image && key) {
             if (length) {
-                result = sanitiserService.truncateAndSanitise(value, length, image, key)
+                result = sanitiserService.truncateAndSanitise(value, image, key, length)
             } else {
                 result = sanitiserService.sanitise(value, image, key)
             }

grails-app/views/image/_coreImageMetadataFragment.gsp

@@ -28,7 +28,7 @@
     </tr>
     <tr>
         <td class="property-name"><g:message code="core.image.metadata.creator" /></td>
-        <td class="property-value"><img:imageMetadata image="${imageInstance.imageIdentifier}" resource="${resourceLevel}" field="creator"/></td>
+        <td class="property-value"><img:imageMetadata image="${imageInstance}" resource="${resourceLevel}" field="creator"/></td>
     </tr>
     <tr>
         <td class="property-name"><g:message code="core.image.metadata.created" /></td>

src/test/groovy/au/org/ala/images/SanitiserServiceSpec.groovy

@@ -21,7 +21,22 @@ class SanitiserServiceSpec extends Specification implements ServiceUnitTest<Sani
         '<p>hello <b>there</b></p> <p>How <i>are</i> you?</p>'       | 'hello <b>there</b> How <i>are</i> you?'
     }
 
-    void "text sanitisation with truncation"(String input, String output) {
+    void "test output == sanitised(input, imageId, key)"(String input, String output) {
+
+        expect:
+        output == service.sanitise(input, '1234-1234-1234', 'creator')
+
+        where:
+        input                                                        | output
+        'Some Guy < [email protected] >'                          | 'Some Guy &lt; some.guy&#64;example.org &gt;'
+        '<a href="https://hello">A</a>'                              | '<a href="https://hello" rel="nofollow">A</a>'
+        '<a href="https://hello" onclick="javascript:alert(1)">A</a>'| '<a href="https://hello" rel="nofollow">A</a>'
+        '<a href="https://hello" onclick="javascript:alert(1)">'     | '<a href="https://hello" rel="nofollow"></a>'
+        '\\<a onmouseover=alert(document.cookie)\\>xss link\\</a\\>' | '\\xss link\\'
+        '<p>hello <b>there</b></p> <p>How <i>are</i> you?</p>'       | 'hello <b>there</b> How <i>are</i> you?'
+    }
+
+    void "test sanitisation with truncation"(String input, String output) {
         expect:
 
         output == service.truncateAndSanitise(input, 10)
@@ -35,4 +50,19 @@ class SanitiserServiceSpec extends Specification implements ServiceUnitTest<Sani
         '<a href="https://example.org">hello <b>there</b> How <i>are</i> you?</a>'           | '<a href="https://example.org" rel="nofollow">hello <b>t...</b></a>'
         '<a onmouseover=alert(document.cookie)\\>hello <b>there</b> How <i>are</i> you?</a>' | 'hello <b>t...</b>'
     }
+
+    void "test sanitisation with truncation and context"(String input, String output) {
+        expect:
+
+        output == service.truncateAndSanitise(input, '1234-1234-1234-1234', 'creator', 10)
+
+        where:
+        input                                                                                | output
+        '\'"&&&&&&&&&&"\''                                                                   | '&#39;&#34;&amp;&amp;&amp;&amp;&amp;...'
+        'hello <b>there</b></p> <p>How <i>are</i> you?'                                      | 'hello <b>t...</b>'
+        '<p>hello <b>there</b></p> <p>How <i>are</i> you?</p>'                               | 'hello <b>t...</b>'
+        '<p>hello <b>there</b> How <i>are</i> you?</p>'                                      | 'hello <b>t...</b>'
+        '<a href="https://example.org">hello <b>there</b> How <i>are</i> you?</a>'           | '<a href="https://example.org" rel="nofollow">hello <b>t...</b></a>'
+        '<a onmouseover=alert(document.cookie)\\>hello <b>there</b> How <i>are</i> you?</a>' | 'hello <b>t...</b>'
+    }
 }